Back to main site

    Introduction

    Module 2: Data Protection and Press Freedom

    “Personal data” refers to any information relating to an identified or identifiable individual(1) — in other words, an individual who can be directly or indirectly identified without requiring unreasonable time, effort or resources(2). While not an independent right under the European Convention of Human Rights, protection of personal data is recognised as an integral part of the right to respect for one’s private life guaranteed in Article 8 of the ECHR. For a long time, tension between freedom of the media and the right to privacy emerged largely from an act of publishing protected personal data. It is in this context that the ECtHR initially developed its approach to balancing between the two rights. However, digital technologies have revolutionised how personal data is collected, stored, analysed, and shared, and with the media having moved online, it has made almost all of media content indefinitely accessible to anyone with internet connection regardless of when it was published. Moreover, search engines have made retrieving such content exceptionally easy. In this new environment, the online retention of publications – that is, their continuous ready availability on the internet – has become a separate concern for anyone seeking to protect their privacy from the media. The solution to this new challenge arrived in the form of a “right to be forgotten”, famously conceptualised by the CJEU in the Google Spain case. Since then, national courts and the ECtHR have grappled with reconciling measures designed to implement the right to be forgotten with freedom of the media – with mixed results.

    Legal framework for data protection: the European Union

    The right to the protection of personal data is expressly recognised in Article 8 of the Charter of Fundamental Rights of the European Union (which is binding on both the EU institutions and bodies and the EU member states).  Article 8 stipulates that personal data “must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law” and that everyone “has the right of access to data which has been collected concerning him or her, and the right to have it rectified.” It also obliges member states to establish independent authorities to supervise the implementation of these requirements.

    Central to the EU’s data protection regime is the General Data Protection Regulation (GDPR), adopted in April 2016. As the world’s most advanced piece of legislation on the subject, it has influenced data protection laws in many countries outside the EU.

    The GDPR’s regime is based on the following principles for processing personal data:(3)

    • Personal data must be processed fairly and lawfully, and must not be processed unless the stipulated conditions are met.
    • Personal data must be obtained for a specified purpose (or purposes), and must not be further processed in any manner incompatible with that purpose.
    • Personal data must be adequate, relevant and not excessive in relation to the purpose (or purposes) for which it is processed.
    • Data must be accurate and, where necessary, kept up to date.
    • Personal data must not be kept for longer than is necessary for collection.
    • Personal data must be processed in accordance with the rights of data subjects provided for under the data protection law.
    • Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
    • Personal data must not be transferred to another country that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information.

    Legal framework for data protection: the Council of Europe

    The 1981 Convention for the Protection of Individuals with regard to Automated Processing of Personal Data (a.k.a. Convention 108) was the first legally binding international instrument dedicated to data protection. In 1999, it was amended to allow the European Communities to join it. In 2001, an Additional Protocol was adopted to introduce new obligations related to supervisory authorities and transborder data flow.  Finally, in May 2018, an Amending Protocol was adopted to introduce a new, “modernised” version of the Convention, referred to as Convention 108 (not yet in force).(4) The modernisation version brings the Convention closer to the GPDR regime. However, one of the significant remaining gaps is that Convention 108 does not introduce a data subject’s right to obtain the erasure of their personal data (the right to be forgotten), which is expressly guaranteed in Article 17 of the GDPR.

    In addition, the Committee of Ministers of the Council Europe has adopted several recommendations directly relevant to data protection online:

    • Recommendation CM/Rec(2010)13 of the Committee of Ministers to member States on the protection of individuals with regard to automatic processing of personal data in the context of profiling;
    • Recommendation CM/Rec(2012)3 of the Committee of Ministers to member States on the protection of human rights with regard to search engines;
    • Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services.

    As was mentioned above, the right to the protection of one’s personal data has been read by the European Court of Human Rights into Article 8 of the ECHR. A few examples of the large variety of personal data the European Court of Human Rights (‘the ECtHR’) has found to be protected by Article 8 include: internet subscriber information associated with specific dynamic; fingerprints, cellular samples, and DNA profiles; publicly accessible information on the taxable income and assets of private individuals; data collected by means of non-covert video surveillance.(5)

    Footnotes

    1. Article 2 of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) (accessible at https://rm.coe.int/1680078b37. Back
    2. Explanatory report, para. 17 (accessible at https://rm.coe.int/convention-108-convention-for-the-protection-of-individuals-with-regar/16808b36f1. Back
    3. Information Commissioner’s Office, ‘A guide to the data protection principles’ (accessible at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-protection-principles/a-guide-to-the-data-protection-principles/#the_principles. Back
    4. For a summary of the main changes introduced by Convention 108 , see Council of Europe, ‘The modernised Convention 108: novelties in a nutshell’ (accessible here). Back
    5. For more examples, see ECtHR’s Guide to the Case-Law of the of the European Court of Human Rights guide, p. 8 (accessible at https://ks.echr.coe.int/documents/d/echr-ks/guide_data_protection_eng. Back